<!DOCTYPE html>
<html lang="zh-cn">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    
    <title>设置本地 nginx 的 HTTPS | liuz2&#39;s Blog</title>
    <meta name="viewport" content="width=device-width,minimum-scale=1">
    <meta name="generator" content="Hugo 0.63.1" />
    
    
      <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
    

    
    
      <link href="/dist/css/app.9576afd3b3c158d98f48ec5df01fec6a.css" rel="stylesheet">
    

    

    
      

    

    

    <meta property="og:title" content="设置本地 nginx 的 HTTPS" />
<meta property="og:description" content="生成自签名的证书，添加信任，配置 nginx" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://liuz2.gitee.io/posts/local-https-certificates/" />
<meta property="article:published_time" content="2021-08-01T08:05:00+08:00" />
<meta property="article:modified_time" content="2021-08-01T08:05:00+08:00" />
<meta itemprop="name" content="设置本地 nginx 的 HTTPS">
<meta itemprop="description" content="生成自签名的证书，添加信任，配置 nginx">
<meta itemprop="datePublished" content="2021-08-01T08:05:00&#43;08:00" />
<meta itemprop="dateModified" content="2021-08-01T08:05:00&#43;08:00" />
<meta itemprop="wordCount" content="206">



<meta itemprop="keywords" content="https," /><meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="设置本地 nginx 的 HTTPS"/>
<meta name="twitter:description" content="生成自签名的证书，添加信任，配置 nginx"/>

	
  </head>

  <body class="ma0 avenir bg-white">

    
   
  

  <header>
    <div class="bg-black">
      <nav class="pv3 ph3 ph4-ns" role="navigation">
  <div class="flex-l justify-between items-center center">
    <a href="/" class="f3 fw2 hover-white no-underline white-90 dib">
      
        liuz2&#39;s Blog
      
    </a>
    <div class="flex-l items-center">
      

      
        <ul class="pl0 mr3">
          
          <li class="list f5 f4-ns fw4 dib pr3">
            <a class="hover-white no-underline white-90" href="/about/" title="About page">
              About
            </a>
          </li>
          
          <li class="list f5 f4-ns fw4 dib pr3">
            <a class="hover-white no-underline white-90" href="/links/" title="Links page">
              Links
            </a>
          </li>
          
          <li class="list f5 f4-ns fw4 dib pr3">
            <a class="hover-white no-underline white-90" href="/timeline/" title="Timeline page">
              Timeline
            </a>
          </li>
          
        </ul>
      
      















    </div>
  </div>
</nav>

    </div>
  </header>



    <main class="pb7" role="main">
      
  
  <article class="flex-l flex-wrap justify-between mw8 center ph3">
    <header class="mt4 w-100">
      <h1 class="f3 athelas mt3 mb1">设置本地 nginx 的 HTTPS</h1>
      
      
      <time class="f6 mv1 dib tracked" datetime="2021-08-01T08:05:00&#43;08:00">August 1, 2021</time>

      
      
    </header>
    <div class="nested-copy-line-height lh-copy sans-serif f5 nested-links nested-img mid-gray pr4-l w-two-thirds-l"><blockquote>
<p><strong>2021-08-24 更新</strong>：Node.js 12.x 默认使用 TLS 1.3。在旧版 Node.js 正常使用的自签名证书，可能在 Node.js 12.x 上报错 <code>ERR_SSL_KEY_USAGE_INCOMPATIBLE</code>。为了解决这种报错，可以降级 Node.js，也可以使用如下方法生成新的证书。</p>
</blockquote>
<h2 id="创建密钥">创建密钥</h2>
<p>首先，进入 nginx 配置目录，创建 openssl 配置文件 <code>req.conf</code>，其中的 <code>CN</code>, <code>DNS.1</code>, <code>DNS.2</code> 等需要替换为自己的域名。</p>
<pre><code>[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.com
[v3_req]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.net
DNS.2 = company.com
DNS.3 = company.net
</code></pre><p>如果域名较多，且都隶属于同一个主域名，可以将 <code>DNS.1</code>、<code>DNS.2</code> 等简化为 <code>*.example.com</code>。即：</p>
<pre><code>...
[alt_names]
DNS.1 = *.example.com
</code></pre><p>接着，执行如下命令，创建证书：</p>
<pre><code>openssl req -new -x509 -nodes -days 36500 -newkey rsa:2048 -keyout cert.pem -out cert.pem -config req.conf -extensions v3_req
</code></pre><h2 id="配置-nginx">配置 nginx</h2>
<pre><code>server {
    listen 443 ssl;
    server_name www.example.com;
    ssl_certificate cert.pem;
    ssl_certificate_key cert.pem;
    location / {
        root /Users/example/hello/world;
        index index.html index.htm;
    }
}
</code></pre><p>服务器证书（<code>ssl_certificate</code>）是一个公开文件，每个请求连接的客户端都会收到一份。私有密钥（<code>ssl_certificate_key</code>）是加密单元，需要存储在保密的地方，但要确保 nginx 主线程可访问。私有密钥一般和证书存储到同一位置。</p>
<p><code>cert.pem</code> 就是上一个步骤产生的证书和密钥，在一个文件中。</p>
<h2 id="配置浏览器">配置浏览器</h2>
<p>打开 Chrome 的开发者工具下的【security】选项卡，查看当前的证书，然后下载下来，双击添加到操作系统中，修改为始终信任就可以了。</p>
<h2 id="参考文档">参考文档</h2>
<ol>
<li><a href="https://developer.ibm.com/blogs/migrating-to-tls13-in-nodejs/">Using TLS 1.3 with Node.js</a>, by <em>Sam Roberts</em>, 2019-04-25</li>
<li><a href="https://zhuanlan.zhihu.com/p/23640321">用 Nginx 实现微信小程序本地 SSL 请求 - zhihu</a>, by <em>罗含章</em>, 2016/11/14</li>
<li><a href="https://www.akadia.com/services/ssh_test_certificate.html">How to create a self-signed SSL Certificate - akadia.com</a></li>
<li><a href="https://stackoverflow.com/questions/43665243/chrome-invalid-self-signed-ssl-cert-subject-alternative-name-missing">Chrome: Invalid self signed SSL cert - “Subject Alternative Name Missing” - stackoverflow.com</a></li>
<li><a href="https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/">Chrome Deprecates Subject CN Matching</a>, by <em>Eric Lawrence</em>, 2017/03/10</li>
<li><a href="https://support.citrix.com/article/CTX135602_">How to Create a Self-Signed SAN Certificate Using OpenSSL on a NetScaler Appliance - citrix.com</a>, 2017/09/14</li>
<li><a href="http://www.cnblogs.com/yjmyzz/p/openssl-tutorial.html">openssl、x509、crt、cer、key、csr、ssl、tls 这些都是什么鬼?</a>, by <em>杨俊明</em>, 2016/02/03</li>
<li><a href="https://superuser.com/questions/1451895/err-ssl-key-usage-incompatible-solution">ERR_SSL_KEY_USAGE_INCOMPATIBLE Solution</a>, by <em>Tiffany</em>, 2019-06-23</li>
</ol>
<a href="https://gitee.com/liuz2/liuz2/blob/master/content/posts/local-https-certificates.md#tree_comm_title" class="no-underline db b--black pa2 tc bg-black-90" style="color:#eee;">进入留言</a><ul class="pa0">
  
   <li class="list dib">
     <a href="/tags/https" class="link f5 grow no-underline br-pill ba ph3 pv2 mb2 dib black sans-serif">https</a>
   </li>
  
</ul>
<div class="mt6 instapaper_ignoref">
      
      
      </div>
    </div>

    <aside class="w-30-l mt6-l">




</aside>

  </article>

    </main>
    <footer class="bg-black bottom-0 w-100 pa3" role="contentinfo">
  <div class="flex justify-between">
  <a class="f4 fw4 hover-white no-underline white-70 dn dib-ns pv2 ph3" href="https://liuz2.gitee.io/" >
    &copy;  liuz2's Blog 2022 
  </a>
    <div>














</div>
  </div>
</footer>

    

  <script src="/dist/js/app.3fc0f988d21662902933.js"></script>


  </body>
</html>
